Add Linux Container Enumeration Module

[stealthcopter]

Adds a new module post/linux/gather/enum_containers that will detect if there are any container platforms (runnable by the current user) on the target machine and list any actively running containers on any it finds. Currently supports Docker, LXC and RKT

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Get a session via exploit of your choice, on a target that has containers running
• use post/linux/gather/enum_containers
• set session 1
• run
• Verify that the module lists any active containers

Scenarios

Scenario 1: Docker is installed and there are 4 running containers

msf5 post(linux/gather/enum_containers) > set session 4
session => 4
msf5 post(linux/gather/enum_containers) > run

[+] docker: 4 Active Containers
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
6e406d13fde7        ubuntu              "/bin/bash"         5 days ago          Up 45 hours                             test4
3d137beafb08        ubuntu              "/bin/bash"         5 days ago          Up 45 hours                             test3
8cb7e2aff68a        ubuntu              "/bin/bash"         5 days ago          Up 45 hours                             test2
1a339ef0d38e        ubuntu              "/bin/bash"         5 days ago          Up 45 hours                             test1
[*] Post module execution completed

Scenario 2: Docker, LXC and RKT are installed

msf5 post(linux/gather/enum_containers) > set session 5
session => 5
msf5 post(linux/gather/enum_containers) > run

[+] docker: 4 Active Containers
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
6e406d13fde7        ubuntu              "/bin/bash"         5 days ago          Up 45 hours                             test4
3d137beafb08        ubuntu              "/bin/bash"         5 days ago          Up 45 hours                             test3
8cb7e2aff68a        ubuntu              "/bin/bash"         5 days ago          Up 45 hours                             test2
1a339ef0d38e        ubuntu              "/bin/bash"         5 days ago          Up 45 hours                             test1
[+] lxc: 2 Active Containers
+---------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
|     NAME      |  STATE  |         IPV4          |                     IPV6                      |   TYPE    | SNAPSHOTS |
+---------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
| t4testingName | RUNNING | 10.132.199.244 (eth0) | fd42:53d9:b4c9:609e:216:3eff:fece:f6df (eth0) | CONTAINER | 0         |
+---------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
| ubuntu        | RUNNING | 10.132.199.192 (eth0) | fd42:53d9:b4c9:609e:216:3eff:fe9a:fa5f (eth0) | CONTAINER | 0         |
+---------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
[+] rkt: 0 Active Containers
[*] Post module execution completed

Scenario 3: No container software is runnable

msf5 post(linux/gather/enum_containers) > set session 6
session => 6
msf5 post(linux/gather/enum_containers) > run
[-] No container software appears to be installed
[*] Post module execution completed

[gwillcox-r7]

@stealthcopter Very nice first PR, congrats! A few minor suggestions, the only real issue I found was an issue with the author field which may confuse some of our backend systems, and a case of you using the print command instead of something like print_status. Rest of it is suggestions for ways to improve your code so that it makes a bit more sense to users in some cases.

[gwillcox-r7]

Also one more comment @stealthcopter but you may want to rename this module to enum_running_containers.rb if its only going to be enumerating running containers. Otherwise as of right now, given the module name, I would expect the module to also enumerate non-running containers and list those as well (could always add this in though, shouldn't be too hard to do).

[h00die]

This would be good info to either store as a host note, or as loot.

May be nice to sync the output styles as well instead of having one in a framed table and another not. (I prefer the first table personally)

[stealthcopter]

@gwillcox-r7 @h00die @adfoster-r7 thanks for all the feedback! I'll make some changes and update :)

[bcoles]

noActive isn't defined anywhere. It should be no_active.

Also, no_active is not an intuitive variable name. active_containers or container_count would make more sense.

Also, the loops could be cleaned up a lot. The temporary state variables aren't required.

Also, you can probably use print_line rather than print.

Here's some psuedo code.

  # Run Method for when run command is issued
  def run
    platforms = %w[docker lxc rkt].map{|p| runnable(p)}

    if platforms.empty?
      print_error('No container software appears to be installed or runnable by the current user')
      return
    end

    platforms.each do |platform|
      active_containers = count_containers(platform)
      print_status("#{platform}: #{active_containers} active containers")

      next unless active_containers

      containers = list_containers(platform)
      print_line(containers.to_s)
    end
  end

[stealthcopter]

@bcoles thanks for the tips, I've not really used ruby before so that's very helpful. Appreciate it!

[bcoles]

@bcoles thanks for the tips, I've not really used ruby before so that's very helpful. Appreciate it!

Here's an example of how you can use map / reject to cleanup an array before iterating :

# cat tribute-to-nodejs.rb 
#!/usr/bin/env ruby

def is_ten_thousand?(number)
  number == 10_000
end

def main
  numbers = [1, 100, 1_000, 10_000, 100_000].reject{|n| !is_ten_thousand?(n) }
  numbers.each do |number|
    puts number.to_s
  end
end

main

# ./tribute-to-nodejs.rb 
10000

[stealthcopter]

Made some changes following the feedback above:

• Added CMD argument as an optional command to run on each running container. I've added this because it seems like a really useful feature and as @adfoster-r7 pointed out there may be some interesting vars in the environment variables. So you could do something like set cmd env and it would run env on all the active containers.
• Fixed author
• Shows active and total number of containers
• Changed no_active -> now num_containers and num_running_containers
• Logic and loops tidied using ruby conventions (cheers @bcoles)
• Uses docker container ls -a instead of docker ps`

Issues not solved yet:

• When printing the tables, they need to start on a newline, when using print_good or print_status, it's prefixed with [*] is there a way to avoid this? I was using print, but don't think you wanted me to use that but wasn't sure of the alternative?
• Tables aren't unified between container platforms - this is non trivial as the output is very different between platforms (supported fields etc, default things shown, and lack of formatting options in rkt). As only 1 or 0 container platforms are likely to be found on a host I don't think matching output tables is a high priority, thoughts?
• Not added to loot (not had a look yet, welcome suggestions)

Hope I haven't made it too complicate adding the CMD arg, I think it massively improves the functionality tho :)

[label-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[gwillcox-r7]

• When printing the tables, they need to start on a newline, when using print_good or print_status, it's prefixed with [*] is there a way to avoid this? I was using print, but don't think you wanted me to use that but wasn't sure of the alternative?

@stealthcopter I don't think that just using print would be an issue so long as you add a line before it explaining that your printing out the table. I agree with @h00die's comment though that the former table without the lines looks neater overall.

• Tables aren't unified between container platforms - this is non trivial as the output is very different between platforms (supported fields etc, default things shown, and lack of formatting options in rkt). As only 1 or 0 container platforms are likely to be found on a host I don't think matching output tables is a high priority, thoughts?

Alright so after some more discussions with the team on this, I think the general feeling is that the tables themselves should have consistent rough styling. What do I mean by this? Well I mean that in your example you had one table with lines within it, and one without. I would lean towards the one without and not try to table everything.

As for their content, when adding it to loot you should aim to add good tiles and notes so that one can easily locate the note once it is in the database. I would say perhaps having different ltype values when you add the loot entry via store_loot would be one way to do this, as this will add in Metadata that could help differentiate different entries from one another.

For an example of how store_loot is used in another module, you can look at https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/enum_applications.rb#L67-L68

You can find the definition for this function here:

metasploit-framework/lib/msf/core/auxiliary/report.rb

Lines 371 to 388 in d631448

	#
	# Store some data stolen from a session as a file
	#
	# Also stores metadata about the file in the database when available
	# +ltype+ is an OID-style loot type, e.g. "cisco.ios.config". Ignored when
	# no database is connected.
	#
	# +ctype+ is the Content-Type, e.g. "text/plain". Affects the extension
	# the file will be saved with.
	#
	# +host+ can be an String address or a Session object
	#
	# +data+ is the actual contents of the file
	#
	# +filename+ and +info+ are only stored as metadata, and therefore both are
	# ignored if there is no database
	#
	def store_loot(ltype, ctype, host, data, filename=nil, info=nil, service=nil)

[stealthcopter]

@gwillcox-r7 Thanks again. Yup, it's pretty annoying how LXC have decided to make their own fancy tables. I've fixed this using the following code. Please let me know if it could be improved:

result = cmd_exec('lxc list').each_line.reject { |st| st =~ /^\+--/ }.map.with_index.map do |s, i|
  if i == 0
    s.split('| ').map { |t| t.strip.ljust(t.size, ' ').gsub(/\|/, '') }.join + "\n"
  else
    s.gsub(/\| /, '').gsub(/\|/, '')
  end
end.join.strip

This creates the following output on my test setup:

msf5 post(linux/gather/enum_containers) > run

[+] docker: 6 Running Containers / 6 Total
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
a1993b76b3a4        php                 "docker-php-entrypoi…"   2 days ago          Up 2 days                               deepce-container-escape1
ba118f0bd6e4        ubuntu              "/bin/bash"              6 days ago          Up 3 days                               test5
6e406d13fde7        ubuntu              "/bin/bash"              3 weeks ago         Up 3 days                               test4
3d137beafb08        ubuntu              "/bin/bash"              3 weeks ago         Up 3 days                               test3
8cb7e2aff68a        ubuntu              "/bin/bash"              3 weeks ago         Up 3 days                               test2
1a339ef0d38e        ubuntu              "/bin/bash"              3 weeks ago         Up 3 days                               test1

[+] Results stored in: /root/.msf4/loot/20200730164519_default_192.168.0.231_host.docker_cont_534990.txt

[+] lxc: 3 Running Containers / 3 Total
NAME          STATE   IPV4                  IPV6                                          TYPE      SNAPSHOTS  
fPjLQFNNC     RUNNING 10.132.199.139 (eth0) fd42:53d9:b4c9:609e:216:3eff:fe54:9d86 (eth0) CONTAINER 0         
t4testingName RUNNING 10.132.199.244 (eth0) fd42:53d9:b4c9:609e:216:3eff:fece:f6df (eth0) CONTAINER 0         
ubuntu        RUNNING 10.132.199.192 (eth0) fd42:53d9:b4c9:609e:216:3eff:fe9a:fa5f (eth0) CONTAINER 0

[+] Results stored in: /root/.msf4/loot/20200730164521_default_192.168.0.231_host.lxc_contain_199501.txt

[*] Post module execution completed

And the loot looks like below:

msf5 post(linux/gather/enum_containers) > loot

Loot
====

host           service  type                    name                   content     info               path
----           -------  ----                    ----                   -------     ----               ----
192.168.0.231           host.docker_containers  docker_containers.txt  text/plain  docker Containers  /root/.msf4/loot/20200730164519_default_192.168.0.231_host.docker_cont_534990.txt
192.168.0.231           host.lxc_containers     lxc_containers.txt     text/plain  lxc Containers     /root/.msf4/loot/20200730164521_default_192.168.0.231_host.lxc_contain_199501.txt

[gwillcox-r7]

Very nice work @stealthcopter, that looks a lot better!

[gwillcox-r7]

@stealthcopter Sorry for delay on this. Initial testing seems to be good, showing that no containers on running on the target host (as is the case):

msf5 post(linux/gather/enum_containers) > show options

Module options (post/linux/gather/enum_containers):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD                       no        Optional command to run on each running container
   SESSION                   yes       The session to run this module on.

msf5 post(linux/gather/enum_containers) > set SESSION 5
SESSION => 5
msf5 post(linux/gather/enum_containers) > exploit

[-] No container software appears to be installed or runnable by the current user
[*] Post module execution completed
msf5 post(linux/gather/enum_containers) >

Unfortunately though if your not running as an admin user sometimes its not possible to run the docker commands and your module doesn't seem to notice this, giving the false impression that container software cannot be installed when really we can only run the docker command when we are root:

After installing Docker and setting up a nginx container:

msf5 post(linux/gather/enum_containers) > exploit

[-] No container software appears to be installed or runnable by the current user
[*] Post module execution completed
msf5 post(linux/gather/enum_containers) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: no-user @ gwillcox-Virtual-Machine (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > uname
[-] Unknown command: uname.
meterpreter > shell
Process 12603 created.
Channel 7 created.

uname -a
Linux gwillcox-Virtual-Machine 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
docker

Usage:  docker [OPTIONS] COMMAND

A self-sufficient runtime for containers

Options:
      --config string      Location of client config files (default
                           "/home/gwillcox/.docker")
  -c, --context string     Name of the context to use to connect to the
                           daemon (overrides DOCKER_HOST env var and
                           default context set with "docker context use")
  -D, --debug              Enable debug mode
  -H, --host list          Daemon socket(s) to connect to
  -l, --log-level string   Set the logging level
                           ("debug"|"info"|"warn"|"error"|"fatal")
                           (default "info")
      --tls                Use TLS; implied by --tlsverify
      --tlscacert string   Trust certs signed only by this CA (default
                           "/home/gwillcox/.docker/ca.pem")
      --tlscert string     Path to TLS certificate file (default
                           "/home/gwillcox/.docker/cert.pem")
      --tlskey string      Path to TLS key file (default
                           "/home/gwillcox/.docker/key.pem")
      --tlsverify          Use TLS and verify the remote
  -v, --version            Print version information and quit

Management Commands:
  builder     Manage builds
  config      Manage Docker configs
  container   Manage containers
  context     Manage contexts
  engine      Manage the docker engine
  image       Manage images
  network     Manage networks
  node        Manage Swarm nodes
  plugin      Manage plugins
  secret      Manage Docker secrets
  service     Manage services
  stack       Manage Docker stacks
  swarm       Manage Swarm
  system      Manage Docker
  trust       Manage trust on Docker images
  volume      Manage volumes

Commands:
  attach      Attach local standard input, output, and error streams to a running container
  build       Build an image from a Dockerfile
  commit      Create a new image from a container's changes
  cp          Copy files/folders between a container and the local filesystem
  create      Create a new container
  deploy      Deploy a new stack or update an existing stack
  diff        Inspect changes to files or directories on a container's filesystem
  events      Get real time events from the server
  exec        Run a command in a running container
  export      Export a container's filesystem as a tar archive
  history     Show the history of an image
  images      List images
  import      Import the contents from a tarball to create a filesystem image
  info        Display system-wide information
  inspect     Return low-level information on Docker objects
  kill        Kill one or more running containers
  load        Load an image from a tar archive or STDIN
  login       Log in to a Docker registry
  logout      Log out from a Docker registry
  logs        Fetch the logs of a container
  pause       Pause all processes within one or more containers
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image or a repository from a registry
  push        Push an image or a repository to a registry
  rename      Rename a container
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Remove one or more images
  run         Run a command in a new container
  save        Save one or more images to a tar archive (streamed to STDOUT by default)
  search      Search the Docker Hub for images
  start       Start one or more stopped containers
  stats       Display a live stream of container(s) resource usage statistics
  stop        Stop one or more running containers
  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
  top         Display the running processes of a container
  unpause     Unpause all processes within one or more containers
  update      Update configuration of one or more containers
  version     Show the Docker version information
  wait        Block until one or more containers stop, then print their exit codes

Run 'docker COMMAND --help' for more information on a command.

docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied

It would be good if you could detect this for your various platforms to allow us to say "hey container software appears to be running on this host, but we can't check whats running due to a lack of permissions"

[stealthcopter]

@gwillcox-r7 No worries. Good spot, I'll get this fixed shortly!

[gwillcox-r7]

Okay made some more updates to fix some order of some checks output now informs the user when we run into errors due to a lack of permissions:

msf5 post(linux/gather/enum_containers) > exploit

[+] docker was found on the system!
[-] Was unable to enumerate the number of docker containers due to a lack of permissions!
[-] No active or inactive containers were found for docker

[+] lxc was found on the system!
[+] lxc: 1 Running Containers / 1 Total
NAME    STATE   IPV4                 IPV6                                         TYPE      SNAPSHOTS
one-fox RUNNING 10.166.198.97 (eth0) fd42:a29:a47e:79c6:216:3eff:fe1f:1dca (eth0) CONTAINER 0
[+] Results stored in: /home/gwillcox/.msf4/loot/20200805173904_default_172.27.129.4_host.lxc_contain_159662.txt

[+] rkt was found on the system!
[-] Was unable to enumerate the number of rkt containers due to a lack of permissions!
[-] No active or inactive containers were found for rkt

[*] Post module execution completed

[gwillcox-r7]

@stealthcopter Applied some more updates to the documentation to introduce a new scenario and better explain scenario 2, however the documentation will need to be updated to better reflect the output from the module now that a few lines have been updated.

[gwillcox-r7]

@stealthcopter Applying another round of updates as after further review of the code you had some logic backwards and were printing the total number of containers as the number of running containers and the number of running containers as the total number of containers 🥴

[gwillcox-r7]

Hmm looks like even as the root user we are still experiencing some issues with rkt:

msf5 post(linux/gather/enum_containers) > exploit

[+] docker was found on the system!
[+] docker: 1 Running Containers / 5 Total
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES
853913ae1e17        nginx               "/docker-entrypoint.…"   27 minutes ago      Up 27 minutes               80/tcp              lucid_tu
0422ad0a1d6e        nginx               "/docker-entrypoint.…"   28 minutes ago      Exited (0) 28 minutes ago                       gifted_thompson
35930fd284e1        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 4 hours ago                          unruffled_gates
a7149a9a858e        nginx               "/docker-entrypoint.…"   2 days ago          Exited (127) 2 days ago                         pedantic_tesla
cfa40ec4d85c        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 2 days ago                           fervent_gates
[+] Results stored in: /home/gwillcox/.msf4/loot/20200805190631_default_172.27.129.4_host.docker_cont_202169.txt

[+] lxc was found on the system!
[+] lxc: 1 Running Containers / 1 Total
NAME    STATE   IPV4                 IPV6                                         TYPE      SNAPSHOTS
one-fox RUNNING 10.166.198.97 (eth0) fd42:a29:a47e:79c6:216:3eff:fe1f:1dca (eth0) CONTAINER 0
[+] Results stored in: /home/gwillcox/.msf4/loot/20200805190631_default_172.27.129.4_host.lxc_contain_211831.txt

[+] rkt was found on the system!
[-] No active or inactive containers were found for rkt

[*] Post module execution completed

[gwillcox-r7]

Hmm looks like even as the root user we are still experiencing some issues with rkt:

msf5 post(linux/gather/enum_containers) > exploit

[+] docker was found on the system!
[+] docker: 1 Running Containers / 5 Total
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES
853913ae1e17        nginx               "/docker-entrypoint.…"   27 minutes ago      Up 27 minutes               80/tcp              lucid_tu
0422ad0a1d6e        nginx               "/docker-entrypoint.…"   28 minutes ago      Exited (0) 28 minutes ago                       gifted_thompson
35930fd284e1        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 4 hours ago                          unruffled_gates
a7149a9a858e        nginx               "/docker-entrypoint.…"   2 days ago          Exited (127) 2 days ago                         pedantic_tesla
cfa40ec4d85c        nginx               "/docker-entrypoint.…"   2 days ago          Exited (0) 2 days ago                           fervent_gates
[+] Results stored in: /home/gwillcox/.msf4/loot/20200805190631_default_172.27.129.4_host.docker_cont_202169.txt

[+] lxc was found on the system!
[+] lxc: 1 Running Containers / 1 Total
NAME    STATE   IPV4                 IPV6                                         TYPE      SNAPSHOTS
one-fox RUNNING 10.166.198.97 (eth0) fd42:a29:a47e:79c6:216:3eff:fe1f:1dca (eth0) CONTAINER 0
[+] Results stored in: /home/gwillcox/.msf4/loot/20200805190631_default_172.27.129.4_host.lxc_contain_211831.txt

[+] rkt was found on the system!
[-] No active or inactive containers were found for rkt

[*] Post module execution completed

Seems like this was due to this command rkt list | grep running | tail -n +2 | wc -l which was failing as whilst grep running was working, the tail -n +2 command cut off the only line that was returned, thereby ensuring that wc -l would return 0 unless there were more than 2 running containers.

So I've changed this command to 'rkt list | tail -n +2 | grep running | wc -l' so that we first cut off the excess lines from the rkt list output before we go ahead and then try to grep the remaining output.

[gwillcox-r7]

Some other points: you used list_running_containers_id and container_execute and return false on failure, yet calls to these commands are not checked to see if they return false at all. In fact you shouldn't even be returning false given that the callers are expecting strings as a result. If anything you should be returning nil, and the callers should be checking if the object is nil prior to using it.

Otherwise your going to end up calling string functions on a Boolean, which will end up causing stack traces. And no one likes stack traces 😁

[gwillcox-r7]

Okay one more thing: you have a section of your code which does next if cmd.blank?, yet you had the definition container_execute(container_type, container_identifier, command = 'env'). I've removed the default value for the command argument as if is not set to a valid command then container_execute will never be executed, so there is no point in setting it to a default of env given these cirumstances.

[gwillcox-r7]

One last thing before I upload these changes: you have the option in your code to execute an arbitrary command and print it to the screen but for some reason you never decided to store this info in loot. I've updated your code so that it should now save the results of executing the given command into the loot part of the database, and then print out the location of the resulting file.

[gwillcox-r7]

Next commit should also update the documentation so it is all up to scratch with the new output

Dismissing review as I applied these changes myself

[stealthcopter]

@gwillcox-r7 Tested here and it's all working well, thanks for all the changes, it looks great now! RuboCop spotted a few more issues for me, so updated.

[gwillcox-r7]

@gwillcox-r7 Tested here and it's all working well, thanks for all the changes, it looks great now! RuboCop spotted a few more issues for me, so updated.

Looks good to me :) I'll go ahead and land this into the framework so long. Thanks for the contribution!

[gwillcox-r7]

Release Notes

New module post/linux/gather/enum_containers detects if there are any container platforms (runnable by the current user) on the target machine and lists all actively running containers. This module currently supports Docker, LXC and RKT, though more platforms may be added in the future.

[stealthcopter]

@gwillcox-r7 awesome thanks for all your help!

[gwillcox-r7]

@stealthcopter No problem, and thanks for that last RuboCop fix; somehow it slipped past me when I ran RuboCop last night 👍